Full Report
After covering cloud security posture management (CSPM) and cloud workload protection (CWP) in the first two installments of Tenable’s “Stronger Cloud Security in Five” blog series, today we focus on securing your cloud identities. Protecting them is a tall order, but it’s critical because identities are your cloud security perimeter. Read on to learn more about how to secure them.Cloud environments are dizzyingly dynamic and can have tens of thousands of human and service identities, each with its own access rights and identity risks – making your cloud identity security landscape highly complex.In fact, identity and access management (IAM) ranked as the second most critical threat to cloud environments in the Cloud Security Alliance’s “Top Threats to Cloud Computing 2024” report.“As cyber threats become more sophisticated, securing sensitive information against unauthorized access becomes increasingly daunting, making the robust implementation and continual refinement of IAM strategies indispensable to fortifying cybersecurity defenses,” the CSA tells us.As Tenable Senior Manager of Security Engineering Christopher Edson explains in a blog: “Almost everything in the cloud is one excess privilege or misconfiguration away from exposure.”If your organization — like most — uses multiple cloud security providers (CSPs), your identity challenges will multiply, as each CSP has its own set of configurations, identity tools and access management structure.Yet, all CSPs agree on this: In infrastructure-as-a-service and platform-as-a-service environments, it’s the customer’s responsibility to secure identities. One such example is AWS’s shared responsibility model.So how do you manage the access permissions of myriad identities across your ever-changing multi-cloud environment? How do you ensure that your identities’ access levels comply with the least-privilege principle and support your zero-trust architecture?To tackle this challenge, it’s key to have a unified cloud native application protection platform (CNAPP) with a strong cloud infrastructure entitlements management (CIEM) solution. With centralized control over all identities, you’ll always know who has access to which cloud resources and what your top permissions risks are.A unified CNAPP with CIEM can help your organization implement these five best practices for managing and securing your cloud identities.1 - Obtain end-to-end multi-cloud visibilityYou need continuous and detailed visibility into all your cloud identities – both native and federated – as well as into their resource access permissions and security policies. It’s also critical to have a consistent, unified view of identities across all your cloud environments.Leveraging a CIEM tool that has an interactive dashboard and rich visualization capabilities, you’ll see core identity information at-a-glance, such as:the relationships and connections between identitiestheir compute, data and network resourcestheir security risks, such as excessive access rights and potential vulnerabilities, misconfigurations, anomalies and policy violationsFinally, this process of inventorying and monitoring identities must be continuous, because access to resources and systems in multi-cloud environments shifts constantly. Thus, cloud entitlements must be adjusted frequently and at-scale to align your environment with the principle of least-privilege, such as by eliminating unused identities, fine-tuning access policies and “rightsizing” permissions.2 - Analyze risksIn addition to full visibility into your identity landscape, you must be able to analyze this identity data and discover policy violations and identity risks, such as inactive users and access credentials that have never been updated.The analysis needs to be continuous and deep, correlating multiple elements of a human or service identity and surfacing risky scenarios that can allow attackers to escalate privileges, move laterally and swipe sensitive data.For example, you must be able to detect dangerous combinations, such as:Virtual machines with admin privileges that have critical vulnerabilitiesUsers with access to sensitive data whose accounts aren’t secured with MFAA developer with access to secrets like API keys who starts behaving suspiciouslyYou should also be able to proactively query and drill down on your unified, multi-cloud identity data to proactively investigate threats, such as unusual data access and login setting changes.With granular details and enriched context about identity risks from multiple sources, including your CSPs’ activity logs, you’ll be able to assess your identity exposure and prioritize remediation.3 - Conduct continuous access-compliance monitoringKeeping your multi-cloud environment in compliance with government regulations, industry mandates and internal policies is increasingly challenging – and identity management is central to your cloud compliance efforts.That’s why it’s key to have unified access-control governance and compliance, with automated and consistent monitoring, auditing and enforcement of identity security policies — across your multi-cloud environment.This way, you’ll be able to quickly and consistently detect and address compliance gaps and ensure you’re adhering to policies governing areas such as credential rotation and MFA use.Plus, you should easily track compliance metrics from a central dashboard, as well as generate reports that document how its cloud identity management processes yield compliance with specific regulations and industry standards.4 - Automate remediationThe remediation process must be automated so that it can scale and match the dynamic nature of cloud entitlements. For example, tools like guided wizards can walk you through the adjustment of a role’s access rights. Meanwhile, integrations between your CNAPP’s CIEM and your security information and event management (SIEM) and ticketing systems streamline remediation collaboration and reduce remediation time. In addition, you can increase IaC security by deploying snippets that enforce identity policies early in the development cycle.5 - Deploy just-in-time (JIT) accessAnother powerful capability is just-in-time (JIT) access management, which temporarily assigns privileges to identities, such as for the duration of a specific project. When the time-limited period ends, the access is automatically revoked or lowered. JIT is an antidote to the pervasive threat of static, long-lived excessive permissions. JIT also automates the process for users to request temporary entitlement elevations.Learn how you can take action to boost your cloud security in just five minutes.
Analysis Summary
# Best Practices: Strengthening Cloud Identity Security
## Overview
These practices focus on implementing robust controls and automation strategies for securing identities across multi-cloud environments. The goal is to reduce the risk associated with excessive, static, and unmonitored cloud entitlements by focusing on continuous monitoring, policy enforcement, and just-in-time access.
## Key Recommendations
### Immediate Actions
1. **Implement Continuous Monitoring and Auditing:** Deploy tools capable of continuous monitoring, auditing, and enforcement of identity security policies across the entire multi-cloud footprint.
2. **Establish Credential Rotation Monitoring:** Immediately begin monitoring and enforce policies related to credential rotation schedules for all cloud identities.
3. **Enforce Multi-Factor Authentication (MFA) Usage:** Verify and enforce the mandatory use of MFA for all administrative and privileged cloud identities.
### Short-term Improvements (1-3 months)
1. **Deploy Centralized Compliance Dashboards:** Configure central dashboards to track key identity compliance metrics, enabling rapid visualization of adherence to policies (e.g., MFA usage, credential hygiene).
2. **Document Compliance Reporting for Identities:** Set up automated reporting capabilities to document how cloud identity management processes meet requirements for specific regulations and industry standards.
3. **Integrate Identity Events with SIEM/Ticketing:** Establish integrations between your Cloud Security Posture Management (CSPM) or Cloud Infrastructure Entitlement Management (CIEM) tools with your Security Information and Event Management (SIEM) and ticketing systems to streamline incident response.
### Long-term Strategy (3+ months)
1. **Automate Remediation Workflows:** Implement automated remediation processes to manage and adjust dynamic cloud entitlements at scale.
2. **Integrate IaC Security for Identity Policies:** Embed identity policy enforcement *early* in the development cycle by deploying Infrastructure as Code (IaC) snippets that prevent the creation of overly permissive resources or roles.
3. **Deploy Just-in-Time (JIT) Access Management:** Implement a JIT solution to temporarily assign privileges to identities only for the duration of a specific task or project, ensuring automatic revocation upon task completion, eliminating static, long-lived excessive permissions.
4. **Streamline User Access Request Process:** Automate the process for users to request temporary entitlement elevations through the JIT system.
## Implementation Guidance
### For Small Organizations
- Focus initial efforts on the highest-risk identities (administrators, sensitive resource access).
- Prioritize implementing MFA across all accounts immediately.
- Utilize cloud-native identity governance tools or lightweight third-party solutions to begin central monitoring cheaply.
### For Medium Organizations
- Begin formalizing the integration between CIEM/CNAPP tools and existing SIEM/ticketing systems for faster collaboration on remediation.
- Develop a roadmap for assessing and systematically reducing static, long-lived permissions by piloting JIT access for a specific, high-use role.
- Start incorporating basic identity checks within CI/CD pipelines for new infrastructure deployments.
### For Large Enterprises
- Mandate and enforce identity policy adherence through IaC snippets across all development teams to shift security left effectively.
- Deploy guided wizards or workflow automation tools to simplify the adjustment of role access rights based on continuous monitoring feedback.
- Ensure comprehensive, documented compliance reporting that maps current entitlement states directly back to regulatory controls across all cloud providers.
## Configuration Examples
* **JIT Access Configuration:** Configure access rules to grant specific roles (e.g., `DevOpsEngineer`) elevated permissions (e.g., `EC2_Admin`) only between 9:00 AM and 11:00 AM UTC, or for a specific ticket ID, with automatic revocation upon expiration or ticket closure.
* **IaC Snippets:** Deploy reusable policy modules (e.g., in Terraform or CloudFormation) that inherently deny the creation of IAM users without mandatory MFA flags defined or that restrict overly broad wild-card actions (`*`) in new roles.
## Compliance Alignment
- **NIST CSF:** Primarily aligns with the **Protect** function (e.g., Access Control, Data Security) and the **Detect** function (Continuous Security Monitoring).
- **ISO 27001/27002:** Focuses heavily on A.9 (Access Control) and A.12 (Operations Security), especially regarding privilege management and monitoring.
- **CIS Benchmarks:** Aligns with controls related to Identity and Access Management (IAM) configuration across major cloud providers (e.g., requiring MFA, enforcing least privilege).
## Common Pitfalls to Avoid
- **Treating Remediation as a Manual Task:** Relying on manual review and ticketing for entitlement changes in dynamic cloud environments leads to delays and security gaps.
- **Ignoring Excess Permissions in Development:** Allowing overly permissive roles or credentials to be provisioned via IaC without early policy checks will result in difficult, retrofitting cleanup later.
- **Static JIT Implementation:** Implementing JIT access without automatic revocation mechanisms essentially creates a new set of static, temporary permissions that are never cleaned up.
## Resources
- Guides/Documentation on implementing **Just-in-Time (JIT) access management**.
- Documentation for integrating **Cloud Security Posture Management (CSPM)** or **CIEM** tools with **SIEM** and **ticketing systems**.
- Frameworks or documentation for embedding **Infrastructure as Code (IaC) security** practices in the CI/CD pipeline.